Recorded Webinar: ICANN 64 Kobe Insights

ICANN 64 Kobe Insights

Enjoy a look back on the ICANN 64 policy forum in Kobe, Japan, including the discussions on internet policy development, outreach, and community networking.

Expert Gretchen Olive, CSC director of Policy and Industry Affairs, relays what she learned at the March 9 meeting, including her insights on the increasing competition on the web, and the latest domain name and brand protection developments. As always, she'll also share best practices for internet brand protection strategies, and can answer your pressing questions.

Slideshare


ICANN 64 Kobe Insights from CSC

Webinar Transcript:

Annie: Hello, everyone, and welcome to today's webinar, ICANN 64 Kobe Insights. My name is Annie Triboletti, and I'll be your moderator.

Before we get started, I'd like to make a few announcements. You can enter your questions and comments in the Q&A widget at any time during the presentation. We have a lot of material to cover today so we will do our best to answer your questions and we'll be sure to follow up with you after the webinar if we do not have a chance to answer.

If you are experiencing any technical difficulties, we are happy to help you troubleshoot the problem.

At the bottom of your screen are multiple application widgets you can use. All the widgets are resizable and movable, so feel free to move them around to get the most out of your desktop space. You can expand your slide area or maximize it to full screen by clicking on the arrows in the top right corner.

In the resource widget, you will find a PDF copy of today's presentation and a link to the DBS blog, Digital Brand Insider. We encourage you to download any resources or links that you may find useful.

Joining us today is Gretchen Olive. Gretchen is the Director of Policy and global Domain Name Services for CSC. For nearly two decades, Gretchen has helped Global 2,000 companies devise global domain names, trademarks, and online brand protection strategies, and is a leading authority on the Internet Corporation for Assigned Names and Numbers', or ICANN, new GTLD program.

And with that, let's welcome Gretchen.

Gretchen: Thanks, Annie, and thanks to everyone on the line for joining us today. We have a lot to cover as Annie already mentioned. So we're going to get right to it. Quickly, let's just look at the agenda. I know for those of you who may have attended these sessions before, you're thinking, "Hey, this doesn't look so bad." Well, it isn't. I promise you it isn't, but we have maybe fewer topics today, but they are all super think-needy, especially that first one related to GDPR.

We're also going to take the time to talk about some ICANN security warnings. There's definitely a lot of, I would say, breadth in the space right now. And it's something that we all need to be mindful of and really be paying attention to. We'll cover that as well.

All right. So for those of you who are new to this series, and I do see a few new names, which really makes me happy, we always like to start off with just a little bit of an overview of who ICANN is. So ICANN is Internet Corporation for Assigned Names and Numbers. It is a multi-stakeholder consensus policy organization. I know that's a mouthful, but it really is quite a unique organization.

It is one where . . . if you look at this kind of flow chart or org chart, the ICANN staff, they're certainly paid, you know, to do the work that they do for ICANN the organization. But many of the other people on this org chart are volunteers. They have other day jobs. And so, they volunteer their time, and a lot of times it is part of their job responsibilities, so maybe it isn't quite volunteer work, but they volunteer their time and expertise to the ICANN community and to the overall kind of multi-stakeholder model to help develop policies that governs the domain name system, or the DNS.

So one group that we're going to spend a lot of time kind of talking about today is the GNSO. That's the Generic Name Supporting Organization. And that group is made up of a bunch of different kind of subgroups, so anything from registries, registrars, ISPs, to intellectual property owners, business constituency. These are all the kinds of groups that fall into this supporting organization.

And the policies will kind of percolate, if you will, through these subgroups. And then they'll kind of rise up to the GNSO level where they get reviewed and approved and ultimately sent on to the ICANN board of directors.

You'll also see some gray boxes along the right-hand side of the slide. And those are advisory groups or advisory committees that advise the ICANN Board. And really, they're . . . if you think of it as like kind of specialist groups.

So you have a couple that are specialists in security and stability, in kind of the technical aspects of operating the DNS. Then you have a group that's in the kind of darker gray box, the governmental advisory committee, and those are representatives from often the different country telecom agencies that kind of coalesce at ICANN and help look at the different policies that are being developed and kind of bubbled up to the Board of Directors.

They kind of give that public policy eye to all those things to make sure that, you know, individual country rights as well as the rights of the different citizens are being considered as these policies are being developed.

That's a quick overview of kind of ICANN and its structure.

It's also important to know that ICANN meets publicly three times a year. We're in the first meeting of the year, which is typically in March. That was the meeting that occurred two weeks ago that we're reporting on here today.

This is the meeting that's kind of most like the ICANN meetings of the past. The meeting strategy has gone through several iterations. And there was a very long period of time where there were three meetings a year and every meeting was a week long. It had lots of work group meetings. It had lots of cross community meetings. It had lots of high interest topic sessions. It was kind of the whole meeting from, you know, the smallest things to the largest thing all in one place over the course of a six- or seven-day format.

So that meeting is what kind of happened this past time. But over the course of the year, we'll have a shorter format meeting, which is really just working groups working through policy, and then Meeting C, which is sort of more like an annual meeting of ICANN. They do that to kind of showcase a lot of the work that's being done in the ICANN community.

So since we had about six days of meetings, there's a lot to talk about. Let's first start with the GDPR. And we'll kind of get into how the GDPR has impacted WHOIS, and that kind of happened through a process that occurred last year.

So last year, at the end of May, May 25th, many of you know that the GDPR, or the General Data Protection Regulation, went into effect. So that really meant that it became enforceable. And this directive was replacing the Data Protection Directive of '95.

And that directive certainly got a lot of countries in Europe developing or enhancing their already existing data privacy laws, but what the GDPR did is it really harmonized those laws across the EU so that it would be a little bit easier to kind of move from jurisdiction to jurisdiction. And there was a little bit more parity between how the data privacy laws worked in each jurisdiction.

Now, what's interesting about the GDPR is that it's extra territorial. And what that means is it not only applies to people and businesses that operate in the EU, but it also applies to businesses that work with residents of the EU.

So if you have a customer that's in the EU, but your company is based in Shanghai or Seattle or New York City, it still applies to you and how you work with that customer's data because they're an EU resident.

So it really is geared towards protecting personal data. And for many years, there's been this conflict, this kind of known conflict, between just generally data privacy laws and the WHOIS of the domain name system. But largely, it's been an ongoing debate and nothing that ever really people could coalesce under one point of view or one way forward.

And so, I can remember from my very first ICANN meeting one of the issues on the agenda where there was about . . . my first ICANN meeting, there were probably 200 people there. Now there are over 2,000 people around the world who go to these meetings. I can remember on the agenda that first meeting was WHOIS, and it just has gone on and on and on and on. But the General Data Protection Regulation really has required the ICANN community and ICANN the organization to really comply because of its extraterritorial nature.

So we had a situation last year where despite, I would say, a good nine months of very, very vigorous debate and discussion over the GDPR and how it did or did not apply to the WHOIS, we kind of rolled up to May 25th with not really any agreement in the community.

And as I mentioned, ICANN is a consensus policy organization. Getting consensus is not a fast process by any stretch of the imagination. So we kind of ran into the situation of "How do we move past May 25th if we can't get agreement on how the WHOIS might need to change to comply?"

And so, what ultimately happened was ICANN issued something called a temporary specification regarding WHOIS. And so, there are a lot of kind of contractual requirements around WHOIS that ICANN has with registries and registrars. And it really requires those parties to publish the WHOIS.

And the WHOIS, as many people on this call I'm sure know, is not just details about the domain name, meaning the domain name itself, who the registrar is, when it was registered, when it expires, its current status. There's much more information of the WHOIS when it comes to domain name.

And there have been these kind of poor contact fields, so you usually would see registrant, admin, technical, and sometimes billing. And those contact fields are filled with personal data because the domain name system doesn't really differentiate between individuals' domain names and company's domain names. The WHOIS record and the WHOIS requirements were all the same despite who the registrant of the domain name is or was.

So ICANN really found itself in quite a situation rolling up to that May deadline, and as a result, issued this temporary specification which allowed registrars and registries to publish less WHOIS information, especially that contact data. They were able to redact it in order to comply with the GDPR.

At that time, when the temporary specification was issued, it was clear that this debate was not over, that there was much more discussion and policy kind of development that needed to be done by the ICANN community. And so, that's when ICANN also initiated the Expedited Policy Development Process, the EPDP, for the very first time in its history. So ICANN has been around for about 20 years, a little over 20 years now. And this is the first time the EPDP had been initiated.

So it really was done over time to be able to develop those WHOIS policies around collection, storage, display, transfers, and ultimately access to WHOIS information.

So that temporary specification really became the basis of the work that the EPDP team would do. And so, very quickly after the temporary specification and EPDP were initiated, a team was assembled to start looking at this in a very kind of expedited and very focused way.

One of the features of the EPDP and what makes it really special is it's required that you kind of get to a policy outcome within a year. So most PDPs in the ICANN kind of world will take two-plus years. There have been some that have taken three, four, five years and more.

For something to happen within a year on the policy front, especially on something as kind of controversial or contentious as WHOIS, that was a pretty big ask. And most people within the community were pretty skeptical that that could happen.

The group came together, and I would say even when we did our webinar in the late part of 2018 after the ICANN meeting in Barcelona, we didn't have a lot of hope that this was going to go well, quite candidly. The team had been struggling a bit. Fortunately, I think ICANN had worked toward procuring some professional mediation services, and also put an outside counsel for this disposal of the EPDP team. And I think those two things really turned it around for this group.

And basically, the mediator helped them as they kind of kept on hitting those points in the discussion in the debate. When people were just not trying to find a middle ground but instead digging in, those mediators were there to help them through that process and get to a resolution on at least that small subissue.

And in the same respect, the outside counsel component of it really helped. As they ran into legal questions, they were able to kind of farm that out to outside counsel to get some legal guidance.

So we were really pleased to kind of see that by the top of the year things had really turned around. And in fact, they were able to issue a final report on kind of the Phase 1 piece of the EPDP overall charter.

Now, Phase 1 piece is the part that has the one-year time limit on it. So essentially, so far, they're on target. They've issued a final report. That final report was sent to the GNSO counsel, and that was the group we talked about at the top end of the presentation. And the GNSO counsel on March 4th approved the final report.

And so, now it has gone out to public comments. And you'll see on our next slide, we'll have a link for you to be able to go and check out the report as well as read the public comments that are coming in, or in fact also submit public comment if you would like to yourself.

So that will go through April 17th. Then the ICANN staff will do kind of a quick summary of all the comments that come in. And they'll share that with both the community and the board. And the board is expected to vote on the Phase 1 final report in the May/June timeframe.

And quickly on the heels of that, then they're going to start working on Phase 2. There's already some pre-work that's been done. But they still need . . . there are some kind of logistical things they need to get into place, like finding a chair. The chair from Phase 1 has resigned. He's got some other things that he needs to focus on, but now they're looking for a chair to kind of lead the charge on Phase 2. They just extended the deadline for that, looking for those expressions of interest. So, hey, if you're interested, check out the ICANN website. They have an announcement there for looking for a chair for Phase 2.

But really, right as soon as the ICANN board approves, which is widely expected that the final report for Phase 1, this Phase 2 work will begin. I think the Phase 2 work is going to be . . . the first part was pretty complicated, but I think the Phase 2 work is going to require even more heavy lifting. We'll see, but there's a lot of kind of . . . there's more than just policy work here. It's kind of the logistics of how access to data is going to work.

I think that's the thing that most brand owners are the most concerned with, is that I think people can see that the GDPR and the WHOIS policy as it was prior to May 25th of last year, they were in conflict. And I think, for years, people have known that WHOIS really was butting heads with privacy laws around the world.

But I think now that we've lived, you know, about nine months with the disappearing WHOIS, with WHOIS being redacted in large part, we now understand the challenges that that causes for brand protection, for security reasons, for things as simple as getting it an SSL certificate, a digital certificate.

There are all sorts of things that people use the WHOIS for every . . . again, people from brand protection and enforcement to law enforcement. It's really been a source of data that people have routinely relied on, but now it's been disappearing effectively.

And I think many are looking forward to the day when we can get to a point where for legitimate reasons they can get back to that data. And that's what really Phase 2 is about, is figuring out what should that be? How should that work? I think largely it's agreed that it's going to be sort of a gated multi-tiered kind of access model. But the details around that and the accreditation and the kind of process and systems that go along with that, all those details still need to be worked out as part of Phase 2. So a lot of work to do.

So let's talk about that EPDP Phase 1 report. It really was 29 recommendations. What that's really going to mean to the contact data, let's kind of really drill into that as to how that's going to impact what already seems to be a pretty thin WHOIS.

And I think one of the things that will probably be the most kind of eye opening to people is currently the WHOIS has four contact types. It's the registrant, the admin contact, the technical contact, and, in some cases, a billing contact. Well, the under the new recommendations, the final report on Phase 1, one of the recommendations is to eliminate the admin contact all together. For someone who's done this for 20 years, my heart stopped when I when I heard that for the first time, and I thought, "How can we do that? That's just impossible."

And, you know, it's going to be different for sure. But when you really look at a lot of WHOIS records, you'll notice that many times the registrant contact fields exactly mirror the admin fields. So in some ways, it is getting rid of a redundancy. And so, I think that's not as shocking maybe as one might think initially.

Also, the technical fields will largely, you know, become more optional, if you will. They are ones where it's really going to be up to the registrar whether or not they want to publish those.

So you can kind of see in this line by line on the contact field, we're going to be down to a very, very, very small sliver of information that will be part of the public available WHOIS.

So that's kind of like today. Anyone can get it. It'd be free. You wouldn't have to test anything. You don't have to have any special purpose to look at the information. But that set of information you're going to kind of get the domain details, again, what the domain is, who the registrar is, creation date, expiration date, those types of things, name servers. But when it comes to the contact information, you're looking at likely a very minimal set of information in most cases. So it's something that we're all going to need to adjust to.

Behind the scenes of this, to also kind of let you know, is what's been kind of going on in parallel is a change in how the WHOIS system actually technically operates. So currently, it's very much a web-based system. We're going to be moving to what's called the RDAP model, which is . . . there's a number of advantages of RDAP, but one big one is it will handle internationalized characters far better and sort of enable for better handling of that data. It's more secure. It will standardize the data, the outputs that will be there, and also it's likely more secure.

So there's a bunch of advantages, but this RDAP kind of shifts from the web-based WHOIS to an RDAP solution. It's something that registrars are currently working on and actually are going to need to get in place by August of this year, late August. So that's something that's going to be kind of going on behind the scenes.

And in a lot of ways, it's interesting how this is all coming together. We've been talking about RDAP for several years now, but ironically it comes at of time now with this EPDP Phase 1 piece and beyond the Phase 2, on the heels of that. It comes at a time where we do need the technical capability to have sort of this tier-dated access, and the RDAP way of handling WHOIS will enable that to happen.

I talked to many clients and they are very . . . this change in the WHOIS since last May has caused a lot of challenges in their normal workflows and how they are able to pursue infringement and security issues. And I agree that is . . . it just seems like we should have been able to come up with a better way. But there wasn't and we are where we are.

But I do believe that this whole kind of GDPR-induced situation is ultimately going to get us to a final solution on WHOIS. I can, again, remember my very first meeting of an ICANN meeting and WHOIS being on the agenda, and it'd be great in 20 years' time for that to finally be put to bed. Maybe I'm just too optimistic, but I certainly hope that that's the case, because I think it's time for this issue to finally be one that we can kind of move forward from.

All right. So I probably don't need to tell anybody on this call. I know that there are . . . I see some names there that I recognize. These WHOIS changes have really diminished visibility, really made it hard to audit your own portfolio. Domain names, it's really hurt in terms of being able to kind of pull together a bunch of names an infringer has as opposed to kind of going at one at a time. And it's really been challenging in terms of determining ultimate ownership of domain names.

So these are definitely been both IT and security implications of this diminished WHOIS, but I think we just all have to keep plowing forward to get to, hopefully, what will be a much better place.

Now, what I'm going to share with you here is . . . I know it's a very busy diagram and I apologize for that. This is something that was a slide actually out of one of the ICANN staff presentations at the meeting in Kobe. And it really tries to kind of give you that visual, if you will, of how we kind of take these Phase 1 recommendations and how ultimately the Phase 2 will kind of bake into it.

So maybe we should just take a few minutes to kind of break this down for you a little bit. So I would recommend you start looking at it from the left side of the slide. And it really talks about that registrant data and what we kind of went through about how a lot of the contact data is going to disappear from the web-based, and ultimately RDAP, WHOIS output.

So you'll see that your different fields, like the registrant organization, are likely to go away, but you'll have some very basic information around the state, the province, and the country.

You'll also continue to see more and more that web form in a WHOIS, where if you want to reach out to the registrant, you click the link and you can write essentially an email to the registrant and then hit Submit from the WHOIS and it will send off. You will never see the registrant's email address, but it will be kind of an anonymized email that will be sent with the contents of your message to who the registrant is in the backend of the registrar's records. The message will go to that email address that's on file.

But I think one of the challenges with that has been tracking. You hit Submit and you don't ultimately know if they receive it. So I know that that's been a challenge.

You'll get information about the registrant, creation, expiration date, as I mentioned. So, you know, it will be a pretty thin WHOIS.

Now, there will be will be . . . while we're waiting for the day when we get to Phase 2 implementation where we have a new way of kind of accessing beyond the basic WHOIS, we're going to have to kind of continue in this world of requesting additional registrant data where there's a legitimate purpose.

So the goal is for registrars and registries to have a more standardized process, and that's in the recommendation. So that would, I think, benefit us all right now. It's very challenging from registrar to registrar how to kind of engage that registrar to get the information even if you have legitimate purposes. Some have forms online. Some you have send an email, but you don't know what exactly the email needs to contain. Some are kind of in between those models.

It's a little bit hodgepodge right now, so hopefully we can, as a result of the EPDP Phase 1, get that standardized. So that's going to kind of be what is going to be around from now until we get this Phase 2 piece in.

Now, if we kind of swing over to the right-hand of the slide, you'll see this is just very high level at this point. Again, I think there's a general agreement that it should be a tiered, kind of gated access where there would be some kind of accreditation that would need be to be obtained. Again, the rules and process for that not yet determined.

And that ICANN would manage some kind of ICANN WHOIS hub, if you will, that would have the credentials, validation, and logging. There'd be interfacing with the registrar to get that data, and then it would come back through a query or through the query, through whatever system is determined to kind of send that back through.

You know, the goal is for it to be automated. But there will be still situations where you'll need to go through a manual process to get accredited, etc.

The hope is to really put back into place a mechanism where law enforcement, consumer protection, cyber security, IP protection, child welfare, will have an opportunity to kind of get to that WHOIS quickly and not have to kind of swim their way through a manual process in hopes of getting information. So that's really the goal.

ICANN did kind of pull together a technical steering group. They would call it another ICANN acronym, TSG, where they've kind of modeled out what the infrastructure could look like for this to try to help inform the Phase 2 EPDP group.

You know, I think that was just presented at the last ICANN meeting. There was, I would say, some people who were like, "Okay, that's good. It's good to have that kind of early work by people who understand this system." I think some others were like, "Wait, we have ideas of how this could happen in a different way." So I think that's yet to be determined if that's adopted.

But there is a lot of kind of prep work trying to be done in advance of this EPDP Phase 2 group getting started in this kind of May/June timeframe. So I think it's good that people are trying to get a head start.

But I think the one thing I really want to emphasize is there is no timeline on this part of the EPDP. So while the first phase, as I mentioned, had a year, and it looks like they're going to make it, this one does not have a timeline. But the community at large is really calling for, once this group comes back together with a new chair, that they kind of self-impose milestones and dates that the community can get behind. Because I think the fear is this could go on for years and that will not help anybody. So I know that's something I'm very much a proponent of and CSC is very much a proponent of. We should be able to wrap this up in 12 to 24 months at the worst. I think that this has got momentum and we need to just keep on pushing.

So with that behind us, I do see we have a couple questions. Why don't we take one of those questions?

Annie: Sure. Our first question came in from Mark about WHOIS. He was asking, "When will we know whether this new WHOIS going to go into effect, and will this be how the WHOIS is for all domain names?"

Gretchen: Good question. So in terms of when, I think this first phase, like I mentioned, that came forward and we'll voting on it to likely approve in the May/June timeframe. So I think very shortly, within a couple of months, we're going to know that this is a go. Everything I'm hearing and quite honestly all the chatter in the industry is that it's very likely the ICANN board is going to adopt those recommendations.

So I think it's pretty clear as to what the WHOIS fields will be in terms of what's publicly available and then kind of what's behind the curtain. So I think we're going to know that really quickly. It will take registrars a little bit to implement that. As I mentioned with this RDAP also implementation going on, I think a lot of registrars are going to try to combine those efforts.

There is an end of August deadline for RDAP. It may be hard for registrars to kind of squeeze it all in by then. But the goal really is, based on the recommendations, to have kind of that new . . . the registrars adopting those WHOIS fields, what's being exposed, by the end of February of next year. So by March 1st, that would be kind of the state of affairs.

And in terms of if this is going to be the WHOIS for all domain names, I think it's really important to understand that ICANN policies only impact GTLDs, the generic top-level domains. So you're talking dot-com, dot-net, dot-org, some of the new GTLDs, you know, dot-shoes, dot-technology, dot-news. Those types of domains, ICANN governs those policies. The ccTLDs, so dot-fr, dot-jp, dot-sg, all of those are ccTLDs and will continue to do their thing.

Now, I think there will be some, especially outside of Europe, who will see that a policy like this or an approach like this may be the way to go. But I do think we'll see maybe some changes at some of the non-European countries, but most of the European countries because they have had privacy laws on the books for years. They were kind of more than halfway there already. Now, GDPR kind of required them to do some tweaks and this may have a couple more tweaks to institute, but it isn't a big ask for them.

Well, thanks for asking those questions.

So let's run now to a couple other PDPs that are going on, so those are policy development processes, at ICANN. And these next two relate to the new GTLD program. So again, for those of you who've been with us for this series over time, you know that ICANN had a period of time in 2012, it was from January through May, where they accepted applications for new TLDs. And they did. They got over 1,000 applications. That process has kind of been a bit of a slow go from 2012 until . . . it's still going now. But we have well over . . . I think it's over 1,200 new TLDs that have come from that process to the GTLD space.

Now, as that process kind of unfolded, many recognized that maybe there was room for improvement. There were a lot of things that, in the eight-year policy process, rolled up to the 2012 opening of the application window. I think many people thought we had figured out just about everything we needed to figure out. But we quickly learned that wasn't the case. And that was why kind of the rollout of the program was a bit bumpy.

So ICANN has promised that before they would roll out a second application window, they would kind of go through the policies and understand what went well, what didn't go well, and then look to make corrective action so that when there was a round two, it would be a much better process for everybody.

So one of the big areas of interest is obviously rights protection mechanisms as it relates to trademark holders. And so, this PDP was kind of being sliced, if you will, into two subs, kind of two phases. Seems like phasing is a big thing in ICANN, as you can tell.

So the first part was really around the new rights protection mechanisms that were kind of part of the new GTLD experiment, so things like a trademark post-delegation dispute resolution procedure, the trademark clearinghouse Sunrise and trademark claim services, as well as uniform rapid suspension dispute resolution procedure.

Phase 2 is more an analysis of the UDRP, which is the Uniform Dispute Resolution Policy. That has been a dispute resolution policy that has been in effect since 1999. So it precedes the new GTLD program. But still, it was one of the rights protection mechanisms that was available in new GTLDs. So they kind of saved that review for Phase 2.

But Phase 1 has been going on. They are actually wrapping up the preliminary evaluation of the Phase 1 topics. There was a significant discussion at this meeting around the trademark claims and what's called the SMD file, which is used for Sunrise registration. Many of you who do Sunrise registrations know that the registrar needs that SMD file from the trademark clearinghouse. It has a bunch of encrypted trademark data that enables us to basically tell the registry, "You are eligible as a trademark holder to register the string that you're trying to register during Sunrise."

The initial report from this team is currently expected in June of 2019, so a few more months before we get there. They're including some feedback they've received so far. But this team is behind, and you'll see that as we kind of talk about the next PDP, which is the subsequent procedures PDP.

This one is more about kind of the rules of the application process, if you will. So there was something called The Applicant Guide Book that ICANN issued that had all the rules of applying and how the process should roll out.

And so, this PDP team really kind of broke their work down initially into four work tracks. And then at, I would say, the almost halfway point added a work track five, but they've had five work tracks that have been going on and that they've been working through.

They are further along than the rights protection PDP. They've issued their initial report. They're just working through some work track five, things related to the geographic names of top level. And they expect to finish that work in Q2 of this year, 2019.

So you can see with the kind of the darker orange that the RPM team is kind of further into 2019 and even to the top of 2020 before they expect to finish their work. So it's going to be a little bit of time until we get through all these things.

The challenge is that these reports will kind of provide a final set of recommendations. But there's likely to be things that need to be done to implement those recommendations. So it's really a big question mark, and I put four here in fact, for when round two will happen.

There's not a week that goes by where I don't get asked, "When do you think round two will be?" So I have an answer for, I would say, the two camps that exist out there. There's a group of people who really would be very happy never to see another new GTLD be launched because it has been a brand protection nightmare and it has really caused brands to have to increase budgets for some defensive registrations and enforcement. So for you folks, I can tell you it's not any time soon, and hopefully that makes you happy.

For the folks who are anxious . . . we do get calls from companies who would love to have their own dot-brand. For those folks, I have probably sadder news. I would say, at the earliest, we're talking 2021. I think it may even go beyond that. And the reason I'm saying that is all this work around the WHOIS is taking up an enormous amount of sort of volunteer time.

I would say it takes up all the air in the room because it really does. I mean, this stuff is very detailed and it takes a lot of volunteers and hours on conference calls and dealing with time zones and language differences to kind of get to consensus. So I don't anticipate that there's going to be a lot of volunteer time that can be applied to the implementation pieces that will come out of these recommendations.

So, again, 2021, I would say, by the earliest. I think it's likely after that. So hopefully, I had an answer there for everybody.

All right. I think we have one more question, so let's take that.

p

Annie: Yeah. This question is from Joan, who is asking, "What is going on with the implementation of privacy and proxy accreditation?"

Gretchen: Oh, yes. Very good question. So several years ago, one of the PDPs that happened was related to privacy and proxy registration. So back in 2013, ICANN signed new contracts with registrars called . . . they kind of updated what was called a Registrar Accreditation Agreement. That accreditation agreement had a provision in it that talked about ICANN implementing an accreditation process, a contract and an accreditation process, for resellers. So these are people registrars will kind of enable to sell domain names. While ultimately the registration is in the sponsoring registrar's name, these resellers, often web-hosting companies or advertising companies, will procure domain names for their clients and resell them to them.

There was kind of a lot of problems around in the reseller market as well as in the primary registrar market with these privacy and proxy services where you don't really know who was behind the names. And so, ICANN really wanted to get contracts and accreditation processes that they could have a bit more nexus with them and could enforce certain provisions so that bad guys weren't hiding behind these privacy and proxy services.

So that was supposed to happen by 2017. The policy development process went a little longer than that, but the implementation team started work on that a couple of years ago.

And now with all this GDPR impact, that team has been on again, off again, on again, off again, because implementing this in a really turbulent WHOIS environment, it's been hard to coalesce that policy development process with these others.

So right now, I would say on hold again, and likely will be on hold until we finally get through all of the implementation, including the Phase 2. Maybe they're able to restart it and work parallel to Phase 2, but I think it's a way of certainty around Phase 1 and that Phase 2 gets underway. I think it will be a little while until we see that team get back to work. So good question.

All right. So let's move to the next what I would say hot topic at this ICANN meeting, and that was security. In mid-February, there was an alert issued by ICANN. It actually happened on a Friday night, in Friday night U.S. time. This alert was issued by ICANN basically warning about these attacks on the DNS, the Domain Name System. And it referenced a bunch of articles as well as reports that had come up just prior to this being issued.

And basically, one was a document that was issued by the United States Department of Homeland Security. There's been some security research done and published reports related to DNS hijacking.

And so, one blog that reports on these types of things very regularly is a blog called Krebs On Security. Brian Krebs is the person behind that. Very well-known. Very reputable expert in this area.

And he had been highlighting some reports that had come out, and some research that had been done around the different threats that were happening in the DNS. And I will tell you here at CSC we've been very aware of this for well over a year now. We have seen the escalation of attacks on the DNS. It's just been exponential. It's been amazing.

And you actually see even in kind of regular media, not even industry media, you see report after report about companies having data breaches. Basically, their website is being redirected, hackers creating, you know, phishing schemes that create clone sites, and customer data is consumed up by these fraudsters. It has been absolutely terrifying as to what is going on out there.

And so, ICANN issued this alert and it was the first time in the 20 years that I've done this that I've ever seen them issue an alert like this. So it certainly caught my attention at about 11:30 p.m. on a Friday night, U.S. time. Initially I read it and I thought, "Oh, there's something new that's happening right now." And then the more I read it, it was saying, "This is ongoing and constant," which we can absolutely attest to that.

So what ICANN did at this meeting was they had a number of workshops and seminars to try to educate registrars, registries, and just general internet users who come to these meetings, policy people, governments, about what is going on out there. What are the threats that we're seeing? And what are some of the very basic things that registrants can do or companies that run websites can do to protect themselves?

And it was music to my ears. We have been screaming from the rooftops here at CSC about this for a good . . . like I said, we've been watching this happening well over a year. I would say, for the last year, we've been kind of screaming from the rooftops on this.

Because there are some very basic things that companies and individual registrants can do to protect themselves that, you know, are just things that probably people are not aware of.

And so, I'm going to go to this next slide where this is kind of the DNS system, if you will. There are lots of handoffs that happen. There are registries, there are registrars, there's a root DNS, there are lots of interactions, all electronic. They're happening to make things happen.

There's e-commerce. There's information being sent around. And when it all is going great, it's wonderful. It's amazing how this has all evolved and information and business gets done on the internet.

But there are bad guys. And the bad guys are always trying to figure out how to inject themselves into the system. And DNS hijacking is one way they're doing that. And so, you know, they can try to manipulate the zone file, or they can try to actually manipulate domain name servers.

And so, something as basic as putting registry lock on your domain name can help prevent that. That's not something that is expensive or very hard to do. And so, it really is some very common sense things that you can think about that need to get done to protect you and your company.

And so, we have . . . actually, I should share this first. And I think what happens is a lot of times we think, "Well, you know, my company has five websites. And so, as long as I make sure we're okay with those five websites, we'll have no issue." Well, the problem is that domain names and the DNS itself is underlying many different things that happen or services that occur within your organization.

So we've already talked about, "You have a website?" Yes, that's one way your customers interact with you. But you also use FTP servers, you probably also use cloud-based authentication, email, VPN, Voice over IP. Those are just some of the basics.

And when a domain or DNS fails, when one of these bad guys gets in to your registrar's system, and he's able to manipulate DNS records, that's when really bad things can happen. And all these different services that your company uses, these different means of kind of interacting and connecting, your business operations can be brought to an absolute halt. I mean, imagine having no email for a few days, or for a couple hours even. You can't imagine what business disruption that would do.

So there are a bunch of best practices that we . . . we've been offering this digital asset security checklist to our customers. It's really security best practices. Things like, you know, "Look at your procurement process? Are you making sure that the people that you're working with for DNS, SSL, domains, are they enterprise class?"

A lot of times, those types of vendors have been evaluated on sort of price, maybe convenience. People just like . . . they have a favorite website. But the bottom line is that is not the basis on which you should be making decisions today because there's a lot of security that needs to be around your assets. And so, you need to have firm control over who has access to those assets, who controls them, what happens when those people leave, and as well as things like registry lock, which we call MultiLock here at CSC, making sure that you're locking domains at the registry level so that automated processes can't impact your name, best practices related to 2FA, basically two-factor authentication, and the list goes on. DNS factors. There's a number of things.

So this checklist is a really good one-pager, if you will, that will give you a nice overview of the things that you should be doing internally.

We have that. We can certainly offer to help you make sure that you're doing all the right things. And we also have a new platform, which we call CSC Security Center. So for those on the line who are CSC customers already, we can get you activated on CSC Security Center. It's not anything additional.

What CSC Security Center does is it is able to look across your domain portfolio, and based on a proprietary algorithm, we are able to identify what are vital domains to your business, so those domains that really power your business, where there's significant traffic, where there's things that are active and being used in some way. Remember my slide with the examples of ways the DNS is utilized.

So Security Center will not only identify those vital domain names for you, but then it will also identify risks within those vital domains where maybe you don't have MultiLock or registry lock where you should, where you have non-enterprise class providers. It will also alert you when there are changes to DNS, when domains are in lapse, when domains are transferred out. So these are all great alerts that you can receive to make sure that you're on top of your digital assets.

So, you know, just answer the poll question, and if you'd like more information about either of these things, either you want the checklist or would like to learn more about CSC's Security Center, I'd be happy to share that with you.

But I think that's probably it for today. So thanks, Annie. And I'll turn it back to you.

Annie: Thank you very much, Gretchen. That was a great presentation filled with a lot of important information for our audience. As Gretchen mentioned, we're pretty much at the top of the hour.

Folks, if we didn't get to your question, we will contact you with a response after the webinar. And we thank you for your attendance today. We hope to see you next time.